RobbinHood ransomware tricks Windows into deleting defences

Sophos has published research into a novel type of ransomware attack in which cyber criminals are deploying legitimate, digitally signed hardware drivers to delete security products from their target systems before encrypting user data.

The RobbinHood ransomware works by exploiting an old vulnerability, CVE-2018-19320, that exists in a now-deprecated driver produced by Taiwanese firm Gigabyte, which still has a valid and unrevoked Verisign Authenticode signature and is still in use by many despite being discontinued.

The trusted and signed Gigabyte driver is used as a wedge to patch Windows kernels, load an unsigned and malicious driver, and take out defensive security applications from within kernel mode.

According to the Sophos researchers, this is the first time such an attack vector has been seen, even though ransomware attempting to circumvent security products is not new, but killing their processes from within kernel mode as opposed to user mode is clearly advantageous.

Importantly, the malicious driver contains only kill code and nothing else, which means that even if the target is running a fully patched Windows system with no known vulnerabilities, the attackers are still able to destroy security defences as a precursor to the actual ransomware attack.

Mark Loman, director of engineering at Sophos, said the firm’s analysis of RobbinHood showed how rapidly and dangerously the ransomware threat is evolving.

“This is the first time we have seen ransomware bring its own legitimately signed, albeit vulnerable, third-party driver to take control of a device and use that to disable the installed security software, bypassing the features specially designed to prevent such tampering. Killing the protection leaves the malware free to install and execute the ransomware uninterrupted,” he said.

Sophos found a number of indicators to suggest that the authors of the malicious driver are the same group behind RobbinHood, a strain of ransomware that caused chaos for many victims in 2019, notably the city of Baltimore in Maryland, where local government employees were locked out of their systems for over two weeks.

Loman set out a number of steps that users can take to protect themselves from RobbinHood. “We recommend a three-pronged approach. First, since today’s ransomware attacks use multiple techniques and tactics, defenders need to deploy a range of technologies to disrupt as many stages of the attack as possible, integrate the public cloud into their security strategy, and enable important functionality, including tamper protection, in their endpoint security software. If possible, complement this with threat intelligence and professional threat hunting,” he said.

“Second, apply strong security practices like multi-factor authentication, complex passwords, limited access rights, regular patching, and data backups, and lock down vulnerable remote access services. Last, but not least, invest and keep investing in employee security training.”

Full technical details of how RobbinHood works, along with indicators of compromise (IoCs), can be found on the Sophos blog.